The General Data Protection Regulation (GDPR) (EU) 2016/679 is a comprehensive European Union data protection and privacy regulation regime which applies to all EU Member States. The GDPR rules apply to almost all private sector processing by organizations in the EU or by organizations outside the EU, such as JourneyApps, which provide products or services to EU residents. The regulation is effective as of May 25, 2018 and applies to the processing of personal data relating to an identified or identifiable individual (natural person). It does not apply to processing of personal data relating to legal entities.
The users who provide personal information when using our service, website, the JourneyApps Platform and the applications developed for our customers are known as “Data Subjects” in terms of GDPR.
Our customers, who control the purpose and means of processing the personal data collected through the JourneyApps Platform and the applications we developed for them, are known as “Controllers” in terms of GDPR.
JourneyApps is a “Processor”, where we process and use personal data about Data Subjects only as instructed by our customer (the Controller) in terms of a written agreement. In these instances, our customers are responsible for ensuring that Data Subjects provide consent to (to the extent that consent is required) for the collection and processing of personal data using the customer’s application. In respect of personal data collected via our website, JourneyApps is a “Controller” in terms of GDPR. We act as a “Controller” when we collect personal data on our website, through our various technical support or customer interaction channels in order to provide timely customer support, or through the JourneyApps Platform when we administer user accounts.
As a Processor, JourneyApps will take all reasonable required steps to assist Controllers with their compliance obligations under the GDPR. Where JourneyApps is the Controller, JourneyApps accepts responsibility for compliance with the requirements of GDPR in respect of Controllers.
Our customers own all rights to the personal data collected using the JourneyApps Platform and any application developed and hosted on the platform. JourneyApps never uses any user data, except insofar as it is required to ensure the successful operation of an application, which is included in the authority given by our customer. When our relationship with a customer ends, or on request from the customer, all customer and user data is securely and permanently deleted, and a copy is provided to the customer.
JourneyApps collects data, which may include personal data of Data Subjects, in one of three ways:
When an individual clicks on “Contact Us”, we collect their full name, phone number, business email address, company name (if applicable) and online identifier information.
When an individual signs up to use the JourneyApps Platform, or any ancillary service used to access the platform or administer an application, we collect their name, email address and online identifier.
Customer Support and Interaction Channels
We use a number of channels to provide application development services and technical support to customers and users and to contact customers and users with important information regarding the JourneyApps Platform and customers’ applications. When we interact with users in this way, we collect the user’s name and relevant contact information.
We use the JourneyApps Platform to develop, operate and host custom applications for our customers. Each application is developed according to a customer’s specifications and therefore the personal data collected using the application varies depending on the application’s purpose and the customer’s requirements.
Our customers’ applications are rarely used to collect personal data, and where personal data is collected it is seldom sensitive. Personal data collected from users of a customer’s application is typically, but not always, limited to a user’s name, email address, phone number, address, employee or contractor identification number and the location where the application is used and the device used to access the application.
The GDPR provides for various rights to data subjects and specific principles for lawful processing.
These include for example the Data Subject’s right to access the personal data held by the Controller (or Processor on behalf of the Controller) and the right to Erasure (or as it is referred to – “the right to be forgotten”). Data subjects may send a request for deletion or a request to obtain a copy of all personal information collected from their use of the JourneyApps website to our Data Processing Officer (firstname.lastname@example.org), and the JourneyApps Platform or any application hosted on the JourneyApps Platform to the customer (as the Controller of the personal data). Data subjects can also contact our Data Protection Officer (email@example.com) directly where after we will engage our customer to consider and comply with the request.
JourneyApps has always valued the trust our customers and users place in us, and we have always adhered to strong data security protocols. As part of our GDPR compliance assessments, we have worked with our legal team and engineers to further address all aspects of GDPR that are applicable to us.
Our Agreements and Policies
We have updated our Master Services Agreement (“MSA”) to provide more information on data privacy and security, and have also made our Data Processing Addendum (“DPA”) available online for customers to use. The DPA is an addendum to the MSA and elaborates on the data privacy and security clauses in the MSA. Customers may download the DPA and return a signed copy to our Data Protection Officer. Our DPA includes European Union Model Clauses, also known as Standard Contractual Clauses, to meet the adequacy and security requirements for our customers who operate in or have users in the EU.
Customers may specify their specific data management rules with respect to their users’ personal information in their Master Services Agreement, or any other agreement, with us, such as requiring their applications to be configured so that all personally identifiable information (PII) is expunged from the JourneyApps Platform after a specific period. We only keep personal data for the period as required by the customer or until the agreement is terminated. We never use personal data of users for any other purpose than to host and support an application for our customer.
Our agreements with customers provide assurance that the customer will retain all rights to personal data collected as a result of the agreement with us. Customers are able to view the types of data collected or request a copy of the data at any time. Customers always have access to all of the data and can download copies at any time using the JourneyApps Platform. Customers are responsible for ensuring that the users of their applications provide the necessary consent, to the extent that consent is required. Users may revoke that consent by contacting the customer and JourneyApps will provide the customer with assistance to carry out the instruction from the user. A user may, however, be unable to use an application if they revoke consent and should always reference any agreement between them and the customer to understand their specific rights with respect to an application.
Our Cloud Partners
JourneyApps uses only reputable providers of cloud storage and processing services as its own sub-processors, and have entered into agreements with each which commits them to complying with all aspects of GDPR. Our main data sub-processors, such as Amazon Web Services (AWS) and Microsoft, maintain rigorous security standards (SOC2 and/or ISO 27001 certifications).
We take the security of customer and user data very seriously and use several rigorous measures to protect customer and user data. For more information on JourneyApps’ approach to data security, refer to our Security Whitepaper.